Firewall policies are configured with the Cisco Policy Language (CPL), which employs a hierarchical structure to define inspection for network protocols and the groups of hosts to which the inspection will be applied.
Rules For Applying Zone-Based Policy Firewall
Router network interfaces’ membership in zones is subject to several rules that govern interface behavior, as is the traffic moving between zone member interfaces:
- A zone must be configured before interfaces can be assigned to the zone.
- An interface can be assigned to only one security zone.
- All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
- Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
- In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
- The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.
- Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones.
- Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.
- If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.
- From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of one zone or another).
- The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.
Cisco Policy Language (CPL) Configuration
- Define zones.
- Define zone-pairs.
- Define class-maps that describe traffic that must have policy applied as it crosses a zone-pair.
- Define policy-maps to apply action to your class-maps’ traffic.
- Apply policy-maps to zone-pairs.
- Assign interfaces to zones.
Configuring Zone-Based Policy Firewall Class-Maps
Class-maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match command in a class-map:
- Access-group—A standard, extended, or named ACL can filter traffic based on source and destination IP address and source and destination port.
- Protocol—The Layer 4 protocols (TCP, UDP, and ICMP) and application services such as HTTP, SMTP, DNS, etc. Any well-known or user-defined service known to Port-Application Mapping can be specified.
- Class-map—A subordinate class-map that provides additional match criteria can be nested inside another class-map.
- Not—The not criterion specifies that any traffic that does not match a specified service (protocol), access-group or subordinate class-map will be selected for the class-map.
Class-maps can apply match-any or match-all operators to determine how to apply the match criteria. If match-any is specified, traffic must meet only one of the match criteria in the class-map. If match-all is specified, traffic must match all of the class-map’s criteria in order to belong to that particular class.
Configuring Zone-Based Policy Firewall Policy-Maps
The policy-map applies firewall policy actions to one or more class-maps to define the service-policy that will be applied to a security zone-pair. When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default’s default policy action is drop, but can be changed to pass. The log option can be added with the drop action. Inspect cannot be applied on class class-default.
Zone-Based Policy Firewall Actions:
- Drop—This is the default action for all traffic, as applied by the "class class-default" that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic. Traffic that is handled by the drop action is "silently" dropped by the ZFW, as opposed to an ACL's behavior of sending an ICMP “host unreachable” message to the host that sent the denied traffic. Currently, there is not an option to change the "silent drop" behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.
- Pass—This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.
- Inspect—The inspect action offers state-based traffic control.Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic. Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.
Controlling Access to the Router
The self zone is a zone created by default by the router. It has a permit policy by default, and it used to manage traffic directed to or generated by the router.
To control traffic to and from the IP addresses on the router itself one or many policies are needed.
If a policy is configured from any zone to the self zone, and no policy is configured from self zone to the router’s user-configurable interface-connected zones, all router-originated traffic encounters the connected-zone to self-zone policy on its return the router and is blocked. Thus, router-originated traffic must be inspected to allow its return to the self zone.
Self-zone policy has limited functionality as compared to the policies available for transit-traffic zone-pairs:
- As was the case with classical stateful inspection, router-generated traffic is limited to TCP, UDP, ICMP, and complex-protocol inspection for H.323.
- Application Inspection is not available for self-zone policies.
- Session and rate limiting cannot be configured on self-zone policies.
Scenario
Requirements:
- Define 3 security zones: inside, outside, dmz
zone security inside
zone security outside
zone security dmz
- Protocols allowed from INSIDE to OUTSIDE: http, https, ftp, icmp, dns, ssh, telnet, ntp, ymsgr
class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
match protocol http
match protocol https
match protocol ftp
match protocol icmp
match protocol dns
match protocol ssh
match protocol telnet
match protocol ntp
match protocol ymsgr
- Protocols allowed from OUTSIDE to DMZ: http, https, ftp, tacacs
class-map type inspect match-any CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol https
match protocol ftp
match protocol tacacs
- Protocols allowed from INSIDE to DMZ: http, https, ftp, icmp, tacacs, ssh
class-map type inspect match-any CMAP_INSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol https
match protocol ftp
match protocol icmp
match protocol tacacs
match protocol ssh
- Match only traffic generated from inside zone(to outside)
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
match access-group name FROM_INSIDE_NETWORK
match class-map CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
- Match only traffic generated to dmz zone(from outside)
class-map type inspect match-all CMAP_OUTSIDE_TO_DMZ_TRAFFIC
match access-group name TO_DMZ_NETWORK
match class-map CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
- Match only traffic generated from inside zone to dmz
class-map type inspect match-all CMAP_INSIDE_TO_DMZ_TRAFFIC
match access-group name FROM_INSIDE_NETWORK
match access-group name TO_DMZ_NETWORK
match class-map CMAP_INSIDE_TO_DMZ_PROTOCOLS
ip access-list extended FROM_INSIDE_NETWORK
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended TO_DMZ_NETWORK
permit ip any 192.168.223.0 0.0.0.255
- Configure policy-map for every zone-pair security
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
inspect
class class-default
drop log
policy-map type inspect PMAP_INSIDE_TO_DMZ
class type inspect CMAP_INSIDE_TO_DMZ_TRAFFIC
inspect
class class-default
drop log
policy-map type inspect PMAP_OUTSIDE_TO_DMZ
class type inspect CMAP_OUTSIDE_TO_DMZ_TRAFFIC
inspect
class class-default
drop log
- Apply policies to security zone-pairs
zone-pair security INSIDE_TO_OUTSIDE source inside destination outside
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security INSIDE_TO_DMZ source inside destination dmz
service-policy type inspect PMAP_INSIDE_TO_DMZ
zone-pair security OUTSIDE_TO_DMZ source outside destination dmz
service-policy type inspect PMAP_OUTSIDE_TO_DMZ
- Assign interfaces to zones
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0
zone-member security inside
interface Ethernet1/1
ip address 192.168.223.100 255.255.255.0
zone-member security dmz
interface FastEthernet2/0
ip address 172.20.1.2 255.255.255.0
zone-member security outside
- Permit traceroute traffic from inside to outside
ip access-list extended UDP_TRACEROUTE_PORTS
permit udp any any range 33434 33464
ip access-list extended ICMP_TRACEROUTE
permit icmp any any time-exceeded
permit icmp any any port-unreachable
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_TRACEROUTE
match access-group name UDP_TRACEROUTE_PORTS
class-map type inspect match-all CMAP_OUTSIDE_TO_INSIDE_TRACEROUTE
match access-group name ICMP_TRACEROUTE
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
inspect
class type inspect CMAP_INSIDE_TO_OUTSIDE_TRACEROUTE
pass
class class-default
drop log
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class type inspect CMAP_OUTSIDE_TO_INSIDE_TRACEROUTE
pass
class class-default
drop log
- Allow only SSH and HTTPs access to router from zones outside and dmz.
ip access-list extended SSH_HTTPS_TRAFFIC
permit tcp any any eq 22
permit tcp any any eq 443
class-map type inspect match-all CMAP_HTTPS_SSH
match access-group name SSH_HTTPS_TRAFFIC
match protocol tcp
policy-map type inspect PMAP_OUTSIDE_TO_SELF
class CMAP_HTTPS_SSH
inspect
policy-map type inspect PMAP_DMZ_TO_SELF
class CMAP_HTTPS_SSH
inspect
zone-pair security ZP_OUTSIDE_TO_SELF source outside destination self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
zone-pair security ZP_DMZ_TO_SELF source dmz destination self
service-policy type inspect PMAP_DMZ_TO_SELF
- Permit icmp from router to any destination
class-map type inspect match-all CMAP_ICMP
match protocol icmp
policy-map type inspect PMAP_SELF_TO_ANY
class CMAP_ICMP
inspect
zone-pair security ZP_SELF_TO_OUTSIDE source self destination outside
service-policy type inspect PMAP_SELF_TO_ANY
zone-pair security ZP_SELF_TO_DMZ source self destination dmz
service-policy type inspect PMAP_SELF_TO_ANY
Verification
R1#show zone security
zone self
Description: System defined zone
zone inside
Member Interfaces:
Ethernet1/0
zone outside
Member Interfaces:
FastEthernet2/0
zone dmz
Member Interfaces:
Ethernet1/1
R1#show zone-pair security
Zone-pair name INSIDE_TO_OUTSIDE
Source-Zone inside Destination-Zone outside
service-policy PMAP_INSIDE_TO_OUTSIDE
Zone-pair name INSIDE_TO_DMZ
Source-Zone inside Destination-Zone dmz
service-policy PMAP_INSIDE_TO_DMZ
Zone-pair name OUTSIDE_TO_DMZ
Source-Zone outside Destination-Zone dmz
service-policy PMAP_OUTSIDE_TO_DMZ
Zone-pair name OUTSIDE_TO_INSIDE
Source-Zone outside Destination-Zone inside
service-policy PMAP_OUTSIDE_TO_INSIDE
Zone-pair name ZP_OUTSIDE_TO_SELF
Source-Zone outside Destination-Zone self
service-policy PMAP_OUTSIDE_TO_SELF
Zone-pair name ZP_DMZ_TO_SELF
Source-Zone dmz Destination-Zone self
service-policy PMAP_DMZ_TO_SELF
Zone-pair name ZP_SELF_TO_OUTSIDE
Source-Zone self Destination-Zone outside
service-policy PMAP_SELF_TO_ANY
Zone-pair name ZP_SELF_TO_DMZ
Source-Zone self Destination-Zone dmz
service-policy PMAP_SELF_TO_ANY
R1#show policy-map type inspect zone-pair INSIDE_TO_OUTSIDE
Zone-pair: INSIDE_TO_OUTSIDE
Service-policy inspect : PMAP_INSIDE_TO_OUTSIDE
Class-map: CMAP_INSIDE_TO_OUTSIDE_TRAFFIC (match-all)
Match: access-group name FROM_INSIDE_NETWORK
Match: class-map match-any CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
Match: protocol http
14 packets, 560 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 64 bytes
30 second rate 0 bps
Match: protocol dns
64 packets, 2967 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol telnet
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ymsgr
2 packets, 80 bytes
30 second rate 0 bps
Match: protocol https
23 packets, 920 bytes
30 second rate 0 bps
Match: protocol ntp
105 packets, 5880 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [2:1782]
udp packets: [0:338]
icmp packets: [0:6]
im-yahoo packets: [0:85]
Session creations since subsystem startup or last reset 208
Current session counts (estab/half-open/terminating) [4:0:0]
Maxever session counts (estab/half-open/terminating) [27:4:5]
Last session created 00:00:03
Last statistic reset never
Last session creation rate 3
Maxever session creation rate 33
Last half-open session total 0
Class-map: CMAP_INSIDE_TO_OUTSIDE_TRACEROUTE (match-all)
Match: access-group name UDP_TRACEROUTE_PORTS
Pass
84 packets, 3360 bytes
Class-map: class-default (match-any)
Match: any
Drop
93 packets, 3800 bytes